Filed 9/26/22 Vigil v. Muir Medical Group IPA CA1/2 NOT TO BE PUBLISHED IN OFFICIAL REPORTS California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions not certified for publication or ordered published, except as specified by rule 8.1115(b). This opinion has not been certified for publication or ordered published for purposes of rule 8.1115.
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA
FIRST APPELLATE DISTRICT
DIVISION TWO
MARIA VIGIL, Plaintiff and Appellant, A160897 v. MUIR MEDICAL GROUP IPA, (Contra Costa County INC., Super. Ct. No. C1801331) Defendant and Respondent.
Maria Vigil filed a class action against Muir Medical Group IPA, Inc. (Muir), claiming that it failed to secure patients’ personal information, thereby allowing a former employee to download private medical information belonging to over 5,000 patients and take it with her when she left her employment with Muir. Among other causes of action, the class complaint alleges that Muir violated Civil Code 1 sections 56.101 and 56.36, subdivision (b), of the Confidentiality of Medical Information Act (CMIA) (§ 56 et seq.) by negligently releasing class members’ confidential medical information. Several months after initiating the action, Vigil filed a motion for class certification. The trial court denied the motion, finding as to the CMIA claim
1 Unless otherwise indicated, all statutory references are to the Civil Code.
1 that each class member would have to show that the confidential nature of his or her medical information had been breached by an unauthorized party, as required by Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546 (Sutter Health), and therefore that common issues would not predominate. Vigil appeals, asserting that the trial court relied on an erroneous reading of the CMIA and that a breach of confidentiality can be shown on a class wide basis. We reject those arguments, and we affirm, concluding that the trial court properly applied the CMIA and exercised its discretion in denying class certification. BACKGROUND I. The Data Breach and Vigil’s Complaint Muir is an independent practice association that consists of primary care and specialty care providers that provide medical services to patients through the John Muir Health system. In May 2018, Ute Burness, Chief Executive Officer of Muir, notified certain patients that their personal information may have been involved in a data breach that occurred in December 2017. According to Burness, Muir discovered in March 2018 that a former employee took with her certain information in the possession of Muir before her employment ended with Muir (the data breach). The letter stated that Muir conducted an investigation, and “there is no evidence to date that your personal information has been misused in any way.”2 Vigil was one of the patients
2 The trial court granted Muir’s motion to file under seal some portions of the class certification papers and the supporting evidence. Accordingly, we will not divulge the content of the sealed portions of the record (Cal. Rules of Court, rule 8.46(b)(1)), which largely concern Muir’s internal investigation of
2 who received this notice. Muir later admitted that the former employee, Myrissa Centeno, had downloaded copies of information for over 5,400 patients that included insurance and clinical information. In July 2018, Vigil filed a class action complaint asserting causes of action for violation of the Customer Records Act (CRA) (§ 1798.80 et seq.), violation of the CMIA (§ 56 et seq.), unlawful and unfair business practices under the Unfair Competition Law (UCL) (Bus. & Prof. Code, § 17200 et seq.), and negligence. The UCL claim was predicated on the statutory and negligence claims. The complaint alleged that under the Health Insurance Portability and Accountability Act’s (HIPAA) Security Management Process standard (45 C.F.R. § 164.308), Muir’s employees should not have had access to records concerning approximately 5,500 patients without a “compelling” reason, nor should they have been able to take sensitive patient information with them. The complaint sought compensatory and punitive damages for Muir’s alleged negligence in failing to secure plaintiffs’ personal information. The complaint also alleged that this negligence violated the CRA. The complaint further alleged that Muir violated sections 56.101, subdivision (a), and 56.36, subdivision (b), of the CMIA by negligently releasing patients’ medical information without those patients’ authorization. Accordingly, the complaint sought statutory damages under the CMIA for each class member. II. Motion for Class Certification In September 2019, Vigil moved for class certification, appointment of her counsel as class counsel and appointment of herself as class
the data breach and the issue of whether Muir failed to take adequate measures to secure patients’ confidential information.
3 representative. As pertinent here, Vigil contended that the complaint presented questions common to the class regarding whether Muir was negligent in handling class members’ private medical information by failing to comply with its own HIPAA security policies, whether this negligence caused the data breach, and whether Centeno accessed and retained the private medical information without authorization. Vigil supported her motion with her declaration, citations to the depositions of two of Muir’s HIPAA security officers and some of the deposition exhibits, including Muir’s HIPAA policies, and Muir’s discovery responses. In opposition, Muir argued, among other things, that a CMIA claim requires a showing that the confidential nature of the plaintiff’s medical information was breached, and that Sutter Health, supra, 227 Cal.App.4th 1546 held that there is no breach of confidentiality under the CMIA unless an unauthorized party has “actually viewed” the information. (Id. at p. 1550.) Thus, according to Muir, individualized issues of fact and law would predominate over the common questions because each putative class member would have to show that an unauthorized person viewed his or her confidential medical information. In her reply, Vigil asserted that the case could be decided on a class- wide basis because there was evidence that Centeno downloaded, retained, and viewed a patient spreadsheet, and the CMIA does not require a showing that an unauthorized person read each line of medical data. In support, Vigil presented excerpts of the deposition of Janet Kesterson, Centeno’s colleague at her current employer, that Vigil contended shows Centeno disclosed to Kesterson patient information she obtained from Muir. Kesterson testified that in March 2018, their employer tasked her and Centeno with traveling to offices to get phone numbers for Medicare members. Centeno told Kesterson
4 there was no need to go to those offices because she had the phone numbers, and she “lifted her phone and just scrolled real fast.” Kesterson testified that she could not “decipher what information [Centeno] was scrolling through.” She “could just tell it was an Excel spreadsheet.” Following a hearing on the motion, the trial court issued an order denying class certification. The court found that Vigil had conceded that the CRA does not apply to Muir, and thus the “crux” of Vigil’s case “rest[ed] on her claim for breach of the Confidentiality of Medical Information Act.” 3 It further found that the predominance of common questions requirement was not met because under the CMIA, “individualized inquiries would be required to prove Defendant’s liability and damages to each of the nearly 5,500 proposed class members.” Specifically, it concluded that “[l]iability for each class member is predicated on whether his or her information was actually viewed, which on these facts is not capable of resolution in the aggregate.” Vigil appeals from the order denying class certification. DISCUSSION Vigil argues we should reverse the trial court’s order because it relied on an erroneous reading of the CMIA in finding a predominance of individual issues. We conclude the trial court did not err in its application of the CMIA, and the class complaint’s allegations raise questions regarding breach of confidentiality and causation that necessarily require individualized inquiries regarding many, if not all, of the putative class members. Those individualized issues predominate over common questions of law and fact, and thus we uphold the order denying class certification. (See Linder v.
3 On appeal, Vigil does not dispute this finding, and thus for purposes of this appeal, we presume the trial court was correct in finding that the CRA does not apply here and that this matter turns on the CMIA claim. (See Hewlett-Packard Co. v. Oracle Corp. (2021) 65 Cal.App.5th 506, 563.)
5 Thrifty Oil Co. (2000) 23 Cal.4th 429, 436 (Linder) [“ ‘Any valid pertinent reason stated will be sufficient to uphold the order’ ”].) I. Legal Standards A. The Governing Statutes The CMIA protects the confidentiality of patients’ medical information. (Loder v. City of Glendale (1997) 14 Cal.4th 846, 859.) It does so by prohibiting health care providers from disclosing a patient’s medical information without authorization (§ 56.10) and imposing a duty on health care providers who create, maintain, or dispose of medical information to do so in a manner that preserves the confidentiality of that information (§ 56.101, subd. (a)). Subdivision (b) of section 56.36 provides remedies to patients for a health care provider’s “release” of confidential medical information in violation of the CMIA. (§ 56.36, subd. (b).) Here, Vigil alleges Muir violated section 56.101, subdivision (a), thereby invoking the remedy in section 56.36, subdivision (b). Subdivision (a) of section 56.101 provides in full, “Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).) Section 56.36, subdivision (b), provides, in turn, “In addition to any other remedies available at law, any individual may bring an action against
6 any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: [¶] (1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it is not necessary that the plaintiff suffered or was threatened with actual damages. [¶] (2) The amount of actual damages, if any, sustained by the patient.” B. The Case Law Interpreting Sections 56.36 and 56.101 of the CMIA Sutter Health, supra, 227 Cal.App.4th 1546 and its predecessor, Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549 (Regents), are central to the parties’ arguments in this appeal. Those cases address some of the requirements of a CMIA claim under sections 56.101, subdivision (a), and 56.36, subdivision (b), and hold that one such requirement is a breach of the confidentiality of the plaintiff’s medical information.
In Regents, a thief stole an external hard drive and a card containing the hard drive’s encryption password from the home of a physician working within the Regents health care system. (Regents, supra, 220 Cal.App.4th at p. 554.) The plaintiff, whose medical information was on the hard drive along with the medical information of more than 16,000 other patients, filed a complaint asserting a violation of the CMIA and seeking nominal damages for herself and for each of the more than 16,000 patients. (Regents, at pp. 554–555.) The complaint alleged that Regents failed to exercise due care to prevent the release or disclosure of the medical information, “ ‘and as a result it negligently lost possession of the hard drive and encryption passwords.’ ” (Id. at p. 555.) Regents demurred to the complaint, and the trial court overruled the demurrer. (Id. at pp. 555–556.) Regents sought a
7 writ of mandate requiring the trial court to sustain the demurrer, and the appellate court granted review of the trial court’s ruling. (Id. at pp. 557, 571.)
On review, the court first noted that the parties did not dispute that the plaintiff had adequately alleged a violation of the duty imposed on Regents by section 56.101, subdivision (a), “to maintain and store medical information in a manner that preserves the confidentiality of that information.” (Regents, supra, 220 Cal.App.4th at p. 560.) The court thus framed the issue before it as “the nature of [the remedy in section 56.36, subdivision (b)] as applied to the negligent maintenance or storage of medical information.” (Ibid.) That section and the elements of the cause of action it creates, the court held, are incorporated by reference into section 56.101 and require a “release” of confidential information. (Regents, at pp. 561–562, 564.) Regents argued that the term “release” in section 56.36 was synonymous with “disclose” in section 56.10, subdivision (a), which requires a showing of an “affirmative communicative act” by the healthcare provider. (Regents, at p. 564.) The court disagreed, finding that under the common or ordinary dictionary meanings of those terms, “disclose” is an active verb, while “release” is broader and can include passive conduct. (Ibid.) It concluded, “a health care provider who has negligently maintained confidential medical information and thereby allowed it to be accessed by an unauthorized third person—that is, permitted it to escape or spread from its normal place of storage—may have negligently released the information within the meaning of CMIA.” (Id. at p. 565.)
The Regents court went on to hold, however, that even under this broad interpretation of “release,” pleading loss of possession was insufficient to state a cause of action under sections 56.101, subdivision (a), and 56.36, subdivision (b), for negligent maintenance or storage of confidential medical
8 information. (Regents, supra, 220 Cal.App.4th at pp. 569–570.) “What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff’s medical information was breached as a result of the health care provider’s negligence.” (Id. at p. 570.) The court noted in a footnote that section 56.101 allows a health care provider to dispose of, and therefore lose possession of, confidential medical records so long as the confidentiality of the records is preserved. (Regents, at p. 570, fn. 14.) In the case before it, no one knew what happened to the hard drive other than the thief that stole it, and thus the court concluded the plaintiff could not allege that her medical records “were, in fact, viewed by an unauthorized individual.” (Id. at p. 570.) All she alleged was that Regents negligently lost possession of the medical information. (Ibid.) Accordingly, the court issued a writ of mandate directing the trial court to vacate its order overruling Regents’ demurrer and to enter a new order sustaining the demurrer without leave to amend. (Id. at p. 571.)
The Third District decided Sutter Health the following year. Sutter Health involved a stolen desktop computer. (Sutter Health, supra, 227 Cal.App.4th at p. 1552.) Stored on the computer’s hard drive were the medical records of more than four million patients in password-protected but unencrypted format. (Ibid.) The plaintiffs filed a complaint asserting violations of the CMIA. (Sutter Health, at p. 1552.) The defendant health care provider demurred, arguing the complaint did not state a claim under the CMIA because it did not allege that any unauthorized person had viewed the stolen medical information. (Sutter Health, at p. 1552.) The trial court overruled the demurrer, concluding the complaint sufficiently alleged a cause of action for breach of the CMIA. (Sutter Health, at p. 1552.) On a petition for writ of mandate challenging the order overruling the defendant’s demurrer, the Court of Appeal agreed with Regents that the plaintiffs must
9 plead and prove a breach of confidentiality, and it clarified that “[n]o breach of confidentiality takes place until an unauthorized person views the medical information.” (Sutter Health, at pp. 1553, 1555, 1557.)
The Third District arrived at this conclusion differently from the Second District, however. (Sutter Health, supra, 227 Cal.App.4th at p. 1555.) Unlike the Regents court, the Sutter Health court found that the duty of confidentiality imposed on health care providers by section 56.101 was not violated without an actual confidentiality breach, and that there was no need to consider the remedy provided in section 56.36 until such a violation occurred. (Sutter Health, at p. 1555.) The Third District relied on the first sentence of subdivision (a) of section 56.101—“ ‘Every provider of health care . . . who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.’ ” (Sutter Health, at p. 1556.) This language, the court opined, “makes it clear that preserving the confidentiality of the medical information, not necessarily preventing others from gaining possession of the paper-based or electronic information itself, is the focus of the legislation. Therefore, if the confidentiality is not breached, the statute is not violated.” (Ibid.) The first sentence of that subdivision “allows for change of possession as long as confidentiality is preserved.” (Ibid.) The court further reasoned that “[n]o breach of confidentiality takes place until an unauthorized person views the medical information,” because “[i]t is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act.” (Id. at p. 1557.)
The court noted that the second sentence of section 56.101, subdivision (a), does not repeat the language in the first sentence imposing a
10 duty of confidentiality on the health care provider but this did not change its analysis because the second sentence makes the health care provider liable for negligence. (Sutter Health, supra, 227 Cal.App.4th at pp. 1557–1558.) Applying general negligence principles, the court found that “[t]he duty is to preserve confidentiality, and a breach of confidentiality is the injury protected against.” (Id. at p. 1558.) “Without an actual confidentiality breach there is no injury and therefore no negligence under section 56.101.” (Ibid.)
The court concluded the defendant did not violate section 56.101 because the plaintiffs had not alleged that their information was viewed. (Sutter Health, supra, 227 Cal.App.4th at p. 1559.) Accordingly, the court found that there was no reason to look to section 56.36 since it provides remedies only when a health care provider “ ‘has negligently released confidential information or records concerning [the plaintiff] in violation of this part . . . .’ ” (Sutter Health, at p. 1558.)
Although Regents and Sutter Health were decided at the pleading stage, both hold that a breach of confidentiality under sections 56.101, subdivision (a) and 56.36, subdivision (b) requires more than a showing that the health care provider negligently maintained or stored confidential information and lost possession of the information because of its negligence.
The interpretation of the CMIA in this case arises not on writ review of a demurrer ruling but on appeal from a ruling denying class certification. We turn, therefore, to the standards for class certification.
C. Class Certification Standards and Standards of Review To properly allege a class, Vigil must “demonstrate the existence of an ascertainable and sufficiently numerous class, a well-defined community of
11 interest, and substantial benefits from certification that render proceeding as a class superior to the alternatives.” (Brinker Restaurant Corp. v. Superior Court (2012) 53 Cal.4th 1004, 1021 (Brinker).) Community of interest, or commonality, encompasses three factors, including “ ‘predominant common questions of law or fact.’ ” (Linder, supra, 23 Cal.4th at p. 435.) “To establish the requisite community of interest, the proponent of certification must show, inter alia, that questions of law or fact common to the class predominate over the questions affecting the individual members . . . .” (Washington Mutual Bank, FA v. Superior Court (2001) 24 Cal.4th 906, 913.) The denial of class certification to an entire class is an appealable order. (Linder, supra, 23 Cal.4th at p. 435.) We review a ruling on class certification for abuse of discretion. (Brinker, supra, 53 Cal.4th at pp. 1017, 1022.) A trial court ruling supported by substantial evidence will not be disturbed unless it rests on improper criteria or erroneous legal assumptions. (Sav-On Drug Stores, Inc. v. Superior Court (2004) 34 Cal.4th 319, 326–327.) We review de novo issues of statutory construction. (Regents, supra, 220 Cal.App.4th at p. 558.) II. Analysis A. The Trial Court Did Not Err in Its Interpretation of the CMIA. This class action is predicated on Muir’s alleged negligence in maintaining and releasing confidential information in violation of sections 56.101, subdivision (a), and 56.36, subdivision (b), and thus Vigil and the putative class members must plead and prove that “the confidential nature of the plaintiff’s medical information was breached as a result of the health care provider’s negligence.” (Regents, supra, 220 Cal.App.4th at p. 570.) Vigil appears to agree that Muir has not violated sections 56.101,
12 subdivision (a), and 56.36, subdivision (b), unless there is a breach of confidentiality. The parties dispute, however, what this showing entails and whether it is an individualized showing.
1. The Court Correctly Determined That a Breach of Confidentiality Requires an Unauthorized Person to Have “Actually Viewed” the Confidential Medical Information. Vigil first argues that under Regents, confidential information that is “viewed, published, accessed, downloaded, copied, or otherwise ‘permitted[] to escape from its normal place of storage’ ” is “released” within the meaning of section 56.36, subdivision (b), and that a plaintiff need only show that the health care provider negligently “released” the confidential medical information to establish a claim under sections 56.36, subdivision (b), and 56.101, subdivision (a). She asserts that Sutter Health wrongly narrowed the Regents standard for a negligent release claim by requiring a showing that an unauthorized party “actually viewed” the confidential medical information to prove a breach of confidentiality.
Based on the statute’s plain language, we agree with Sutter Health that a breach of confidentiality under the CMIA requires a showing that an unauthorized party viewed the confidential information. The CMIA does not define the term “confidential,” but the ordinary meaning of the word supports Sutter Health’s “viewed” requirement. (Angelucci v. Century Supper Club (2007) 41 Cal.4th 160, 168 [“In interpreting a statute, we first consider its words, giving them their ordinary meaning and construing them in a manner consistent with their context and the apparent purpose of the legislation”].) The common or ordinary dictionary definition of “confidential” is “private” or “secret.” (See, e.g., Black’s Law Dict. (11th ed. 2019) p. 373, col. 1 [“meant to be kept secret]; Webster’s Third New International Dict. (1961) p. 158, col. 1 [“private, secret”].) Thus, under the ordinary meaning of “confidential,” the
13 confidential nature of information is not breached unless the information is reviewed by unauthorized parties. This construction is consistent with the purpose of the CMIA to protect patients’ privacy. (See Brown v. Mortensen (2011) 51 Cal.4th 1052, 1071 [“[T]he interest protected by [the CMIA] is an interest in informational privacy”].)
Moreover, we also agree with Sutter Health’s reasoning that section 56.101, subdivision (a), which allows a health care provider to “dispose” of or “abandon” medical information so long as the confidentiality of that information is preserved, indicates the Legislature did not intend to “impose[] liability if the health care provider simply loses possession of the medical records.” (Sutter Health, supra, 227 Cal.App.4th at p. 1556.) A breach of confidentiality thus entails more than mere loss of possession and does not “take[] place until an unauthorized person views the medical information.” (Id. at p. 1557.)4
Vigil presents no basis for departing from Sutter Health. We disagree that Sutter Health “narrow[ed]” Regents by requiring more than mere loss of possession of medical records to establish a breach of confidentiality. After noting that the plaintiff could not “allege her medical records were, in fact, viewed by an unauthorized individual,” the Second District held her pleading was “deficient” because it amounted to no “more than an allegation of loss of possession by the health care provider.” (Regents, supra, 220 Cal.App.4th at p. 570.)
4 Indeed, as the court in Regents stated, loss of possession is not necessarily required. “[A] breach of confidentiality, of course, can occur whether or not the information remains in the actual possession of the health care provider.” (Regents, supra, 220 Cal.App.4th at p. 570, fn. 14.) It is an unauthorized person’s viewing and/or use of another’s medical records that violates the latter’s interest in privacy of the information they contain.
14 Vigil relies on Regents’ plain meaning construction of the term “release”—“permit[ting] [the confidential information] to escape or spread from its normal place of storage” and “allow[ing] it to be accessed” by an unauthorized party—as support for her argument. However, Regents does not stand for the proposition that mere loss of possession is sufficient on its own to prove a breach of confidentiality under sections 56.101, subdivision (a), and 56.36, subdivision (b). The Regents court opined that providing an unauthorized party access to confidential information “may” support a negligent release claim under the CMIA. (Regents, supra, 220 Cal.App.4th at p. 565.) But Regents expressly held that mere loss of possession was insufficient to establish a “release,” even under a “broad interpretation” of that term. (Id. at p. 570.) By “release” in section 56.36, subdivision (b) “as incorporated into section 56.101,” the Legislature intended “more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information.” (Regents, at p. 570.)
Vigil points to other sections of the CMIA that use the term “release” as support for her argument that the Legislature intended section 56.36, subdivision (b), to refer to the actions of the custodian in “surrendering” or “mak[ing] available” private medical information to third parties. But those sections set forth the circumstances in which a health care provider may release medical information to the patient or to third parties; they do not impose liability on the health care provider for its “negligence.” (Compare § 56.101, subd. (a) with §§ 56.11, 56.104, 56.07.) Muir, on the other hand, contends that the Legislature’s use of the word “negligently” in sections 56.101 and 56.36 supports the conclusion in Regents and Sutter
15 Health that a breach of confidentiality under the CMIA requires more than a release of confidential information. We agree.
“ ‘The fundamental purpose of statutory construction is to ascertain the intent of the lawmakers so as to effectuate the purpose of the law.’ ” (Realmuto v. Gagnard (2003) 110 Cal.App.4th 193, 199.) As Sutter Health appears to have recognized in its application of general negligence principles (Sutter Health, supra, 227 Cal.App.4th at pp. 1557–1558), when the Legislature couches its enactment in common law language, we presume that it intended to carry over such rules as were part of the common law into statutory form. (Presbyterian Camp & Conference Centers, Inc. v. Superior Court (2021) 12 Cal.5th 493, 503 (Presbyterian Camp).) The essential elements of common law negligence are “the existence of a duty to use due care toward an interest of another that enjoys legal protection against unintentional invasion” (Bily v. Arthur Young & Co. (1992) 3 Cal.4th 370, 397), breach of that duty, injury, and causation (Dixon v. City of Livermore (2005) 127 Cal.App.4th 32, 42).
Vigil’s interpretation of sections 56.36 and 56.101 conflicts with the presumption that the Legislature intended to incorporate those common law negligence principles. Imposing liability on a health care provider for the release of confidential information without a showing that an unauthorized party viewed the information would eliminate the injury and causation elements of negligence. “[T]he interest protected by [the CMIA] is an interest in informational privacy.” (Brown v. Mortensen, supra, 51 Cal.4th at p. 1071; see also Sutter Health, supra, 227 Cal.App.4th at p. 1558 [“a breach of confidentiality is the injury protected against” by the CMIA].) Although sections 56.101 and 56.36 do not expressly state that a health care provider is liable only if its negligence caused a breach of confidentiality, it would be
16 inappropriate to read the causation and injury elements out of those sections, absent a clear expression by the Legislature of the intent to abrogate this common law. (See Presbyterian Camp, supra, 12 Cal.5th at p. 503.) No such intent appears here.
Vigil contends Sutter’s reliance on the “duty of confidential[ity] that pervades CMIA” is misplaced because some courts have recognized that a breach of confidentiality can occur when the information is merely “disclosed” or “disseminated,” regardless of whether unauthorized parties viewed the information. But the cases Vigil cites as support for this argument do not address the CMIA and are inapposite. None stand for the proposition that confidentiality is automatically breached whenever the confidential information is disseminated to unauthorized parties. In U.S. Dept. of Justice v. Landano (1993) 508 U.S. 165, cited by Vigil, the court addressed the meaning of “confidential source” as used in an exemption from disclosure under the federal Freedom of Information Act (FOIA) for records compiled by criminal law enforcement authorities in the course of a criminal investigation. (Landano, at p. 167.) The exemption applies if the release of criminal investigation records “ ‘could reasonably be expected to disclose’ the identity of, or information provided by, a ‘confidential source.’ ” (Ibid.) In rejecting the defendant’s argument “that a source is ‘confidential’ for purposes of [the exemption] only if the source can be assured, explicitly or implicitly, that the source’s cooperation with the Bureau will be disclosed to no one,” the court concluded “this cannot have been Congress’ intent.” (Id. at p. 171.) To read “confidential source” as meaning one given “[a] promise of complete secrecy” would mean “the FBI agent receiving the source’s information could not share it even with other FBI personnel” and the information “would be of little use to the Bureau.”
17 (Id. at p. 173.) The court’s practical construction of the phrase “confidential source” in the context of the exemption from FOIA sheds no light on the nature of the CMIA’s breach of confidentiality element. Similarly inapposite is Berkeley Police Assn. v. City of Berkeley (2008) 167 Cal.App.4th 385 (Berkeley Police Assn.), in which the court held that interpreting a local ordinance to permit public hearings on citizen complaints against a police officer would conflict with provisions of the Police Officers Bill of Rights (POBRA) because it would result in disclosure of police personnel records those provisions required to be kept confidential. (Berkeley Police Assn., at pp. 404–405.) The court’s discussion of which records were confidential within the meaning of POBRA, which focused on earlier California Supreme Court authority interpreting the scope of POBRA’s confidentiality provision and on the specific text of the relevant POBRA provisions (Berkeley Police Assn., at pp. 395–402), likewise has no bearing on the meaning of the CMIA’s language regarding health care providers’ liability for breach of confidentiality.
The third case cited by Vigil, Culinary Foods, Inc. v. Raychem Corp. (N.D.Ill. 1993) 151 F.R.D. 297, addressed the request of plaintiff, Culinary, for a protective order for certain materials it sought to discover from Raychem and Raychem’s request for a more restrictive order. The parties disputed whether Culinary could disseminate materials determined to be confidential to litigants and attorneys involved in similar actions against Raychem. (Id. at p. 306.) The court declined to allow such dissemination because it “would unduly raise the risk that Raychem’s competitors will obtain access to this confidential information” and “make enforcement of this protective order overly burdensome to Raychem,” as “evidenced by the fact that third parties have in fact received information in violation of protective
18 orders issued by other courts.” (Id. at p. 307.) Insofar as Vigil’s point in citing Culinary Foods is that allowing unauthorized access to confidential information can increase the risk that someone will view and/or make use that information, that is no doubt true. However, it does not answer the question of whether the Legislature, in adopting sections 56.36 and 56.101, intended to impose liability in situations where no actual invasion of the plaintiff’s privacy occurs. Moreover, the Sutter Health court recognized that the change of possession of confidential information increases the risk of a confidentiality breach, but nonetheless held that the CMIA “does not provide for liability for increasing the risk of a confidentiality breach.” (Sutter Health, supra, 227 Cal.App.4th at p. 1557.)
Vigil also asserts that a plaintiff would only have to show that an unauthorized party “downloaded” or “copied” confidential medical information to establish a claim under sections 56.36, subdivision (b), and 56.101, subdivision (a). However, she fails to present any cogent argument or legal authority in support of this conclusion in her opening brief. 5 In any
5 In her reply, Vigil cites for the first time a federal case in support of her argument that a breach of confidentiality occurred when Centeno downloaded the patient spreadsheet and saved it to her personal phone or email account. Even assuming Vigil has not forfeited this argument (see Paulus v. Bob Lynch Ford, Inc. (2006) 139 Cal.App.4th 659, 685), that case is distinguishable because the plaintiff’s claims arose from defendants’ breach of contractual, not statutory, duties. (Allergan, Inc. v. Merz Pharmaceuticals, LLC (C.D.Cal., March 9, 2012, No. SACV 11-446 AG (Ex)) 2012 WL 781705, at p. *11.) In her reply, Vigil also attempts to factually distinguish this case from Sutter Health based on evidence indicating that Centeno was aware of the contents of the patient spreadsheet and of its value to her new employer, that she downloaded it and retained it after her termination from Muir, and that she offered to provide the spreadsheet to her new employer. She fails to explain, however, why those facts show Sutter Health was wrongly decided.
19 event, a party that downloads or copies electronic files, as Centeno allegedly did in this case, does not necessarily breach confidentiality if the party has not actually viewed the confidential information included in the file. “It is the medical information, not the physical record (whether in electronic, paper, or other form), that is the focus of the Confidentiality Act).” (Sutter Health, supra, 227 Cal.App.4th at p. 1557.)
Finally, Vigil argues that the rule of Sutter Health will lead to unintended or absurd results. But interpreting sections 56.101 and 56.36 to impose liability on health care providers for the “release” of confidential information would expose health care providers to liability whenever an unauthorized party gains possession of the information, regardless of whether confidentiality was breached. On this issue, the Sutter Health court presented the example of a thief grabbing a computer containing medical information on four million patients and then wiping the hard drive without viewing the information. (Sutter Health, supra, 227 Cal.App.4th at p. 1558.) In that situation, the health care provider would be liable for at least $4 billion if we were to interpret section 56.101 as providing nominal damages to every person whose medical information came into the possession of an unauthorized person. (Ibid.) We do not believe the Legislature intended such an extreme result. By contrast, the CMIA’s purpose of protecting the confidentiality of private medical information is preserved by interpreting those sections as requiring a showing that the confidentiality of the information was breached because of the health care provider’s negligence.
Vigil cites Stasi v. Inmediata Health Grp. Corp. (S.D.Cal. 2020) 501 F.Supp.3d 898 (Stasi) as support for her argument. There, the defendant posted confidential medical information on the internet, “making it searchable, findable, viewable, printable, copiable, and downloadable by
20 anyone in the world with an internet connection.” (Id. at p. 924.) Vigil argues that under “any conceivable standard,” the confidentiality of the information at issue in that case was destroyed once it was published online, while that would not be the case under Sutter Health if the plaintiffs could not prove that an unauthorized party viewed their information. What she ignores is that the court in Stasi upheld Sutter Health’s “viewed” requirement. (Stasi, at p. 923.) There, on appeal from a motion to dismiss for failure to state a claim, the court found that the complaint’s allegations gave rise to a reasonable inference that “someone” viewed the confidential information since it was accessible “by anyone in the world with an internet connection.” (Id. at p. 924.) Thus, Stasi does not support Vigil’s argument.
We therefore conclude the trial court correctly determined that a breach of confidentiality under sections 56.36, subdivision (b), and 56.101, subdivision (a), requires a showing that an unauthorized party viewed the confidential information at issue.
2. Vigil Has Not Shown That a Breach of Confidentiality Can Be Established on a Class-Wide Basis. Vigil next challenges the trial court’s finding that each class member would have to prove that his or her medical information was viewed by an unauthorized party. She argues that such a requirement cannot be found in section 56.36, Sutter Health or Regents. Instead, she claims, Regents shows that Vigil would not have to prove that Centeno read any of the information contained within the patient spreadsheet; her ability to access the information is sufficient under the CMIA. But, as previously discussed, the mere ability of an unauthorized party to access information cannot support a claim under sections 56.101, subdivision (a), and 56.36, subdivision (b). Vigil further contends that under Sutter Health, she need only show that Centeno
21 viewed the confidential records and not individual data entries. Muir disagrees, arguing that whether a breach of confidentiality under the CMIA occurred is an inherently individualized inquiry.
We agree that a breach of confidentiality under the CMIA is an individualized issue. Regents recognized that sections 56.36, subdivision (b), and 56.101, subdivision (a), provide a private cause of action for individual patients. This private cause of action, like the right of privacy, “ ‘ “is purely a personal one.” ’ ” (Regents, supra, 220 Cal.App.4th at p. 563 & fn. 6.) “The remedy provided in subdivision (b) [of section 56.36] is the right of an individual whose confidential information has been released in violation of CMIA to bring a private cause of action for nominal and/or actual damages.” (Id. at p. 561.) For a negligent maintenance claim under section 56.101, subdivision(a), there is no “release[] . . . in violation of [the CMIA]” if there is no breach of confidentiality. (§§ 56.36, subd. (b), 56.101, subd. (a).) Accordingly, the individual bringing a private cause of action under those sections must establish that the confidential nature of his or her information was breached because of the health care provider’s negligence. (See Regents, at p. 570.)
Contrary to Vigil’s assertion in her opening brief, Sutter Health does not stand for the proposition that under the CMIA, a plaintiff need only show that an unauthorized party viewed some of the confidential information included in a medical record, regardless of whether the information viewed concerned the plaintiff. Sutter Health did not address this precise issue, which Vigil concedes in her reply.
Vigil contends that because a negligent release claim leads to lesser penalties under subdivision (b) of section 56.36 than an intentional release
22 claim under subdivision (c) of that section,6 a negligent release claim requires a correspondingly less stringent evidentiary standard. But the legislative history she cites as support for this argument suggests that the purpose of the penalties under that section is deterrence, which in turn indicates that the increased penalties were intended to correspond with the increased culpability of the person or entity that discloses or uses medical information in violation of the CMIA. (See Assem. Com. on Judiciary, Analysis of Sen. Bill No. 19 (1999-2000 Reg. Sess.) July 13, 1999, p. 9 [“While the new civil penalties in the bill appropriately apply to ‘knowing and willful’ violations, the author believes that lesser penalties for negligent conduct that leads to an unauthorized disclosure should also be included in order to deter those releases as well”].) There is nothing in this history that suggests a negligent release claim does not require an individualized showing for the breach of confidentiality element.
Vigil argues for the first time in her reply that based on the plain language of section 56.36, subdivision (b), each class member would only have to prove that the medical records negligently released by the health care provider concerned them. Even assuming she has not forfeited this argument (Paulus v. Bob Lynch Ford, Inc., supra, 139 Cal.App.4th at p. 685), it lacks merit. Section 56.36, subdivision (b), provides that the medical records or information must have been “negligently released . . . in violation of this part.” (§ 56.36, subd. (b).) As mentioned, there is no “release[] . . . in
6 Subdivision (c) of section 56.36 sets forth administrative fines and penalties to be imposed on a person or entity that uses or discloses medical information in violation of the CMIA. The amount of the fines and penalties increase when the use or disclosure is knowing and willful instead of negligent. (§ 56.36, subd. (c).)
23 violation of” section 56.101, subdivision (a), if the confidential nature of the information was not breached. (§§ 56.36, subd. (b), 56.101, subd. (a).)
Accordingly, we conclude that each class member would have to show that his or her medical information was viewed by an unauthorized party to recover under the CMIA.
B. The Trial Court Did Not Abuse Its Discretion in Finding a Predominance of Individual Issues. Since Vigil has not shown that a breach of confidentiality can be established on a class wide basis, the question then is whether the common questions predominate over those individualized questions.
The key inquiry in determining whether the predominance requirement has been met is whether “the issues which may be jointly tried, when compared with those requiring separate adjudication, must be sufficiently numerous and substantial to make the class action advantageous to the judicial process and to the litigants.” (City of San Jose v. Superior Court (1974) 12 Cal.3d 447, 460.) “Presented with a class certification motion, a trial court must examine the plaintiff’s theory of recovery, assess the nature of the legal and factual disputes likely to be presented, and decide whether individual or common issues predominate.” (Brinker, supra, 53 Cal.4th at p. 1025; see also Ayala v. Antelope Valley Newspapers, Inc. (2014) 59 Cal.4th 522, 530 [the question at the class certification stage is “whether the operative legal principles, as applied to the facts of the case, render the claims susceptible to resolution on a common basis”].)
“ ‘As a general rule if the defendant’s liability can be determined by facts common to all members of the class, a class will be certified even if the members must individually prove their damages.’ ” (Brinker, supra, 53 Cal.4th at p. 1022.) However, “class treatment is not appropriate ‘if every
24 member of the alleged class would be required to litigate numerous and substantial questions determining his individual right to recover following the “class judgment” ’ on common issues.” (Duran v. U.S. Bank National Assn. (2014) 59 Cal.4th 1, 28.) “ ‘Only in an extraordinary situation would a class action be justified where, subsequent to the class judgment, the members would be required to individually prove not only damages but also liability.’ ” (Id. at p. 30.) Here, based in part on Sutter Health’s “viewed” requirement, the trial court found that class treatment was not warranted because individualized inquiries would be required to prove Muir’s liability and damages for each of the nearly 5,500 putative class members.
In challenging the trial court’s determination, Vigil contends there are common questions regarding whether Centeno had unauthorized access to the patient spreadsheet and whether Muir was negligent in protecting that document. The evidence she presented on those issues below consists of the depositions of two of Muir’s HIPAA security officers, a report from the investigation of the data breach, and Muir’s policies. Based on this evidence, the question whether Muir failed to use due care in maintaining patients’ private medical information is a significant issue susceptible to common proof. However, Vigil’s burden “is not merely to show that some common issues exist, but rather, to place substantial evidence in the record that common issues predominate.” (Lockheed Martin Corp. v. Superior Court (2003) 29 Cal.4th 1096, 1108.)
On this record, the trial court did not abuse its discretion in concluding individual issues would predominate over common issues. The record demonstrates that Centeno may have viewed some of the information on the patient spreadsheet, but Vigil presented no evidence indicating whose information was viewed. There is also no evidence suggesting that other
25 unauthorized parties viewed the information in the patient spreadsheet or that it was posted or disclosed in a public forum like the information at issue in Stasi or in Berkeley Police Assn. Therefore, most, if not all, of the almost 5,500 potential class members would be unable to maintain their CMIA claims against Muir unless they could establish that an unauthorized party viewed their confidential medical information and that Muir’s negligence caused this breach of confidentiality.
In our research, we have not found any state cases, and the parties have not provided any, that concern the predominance requirement in a CMIA case or in a similar data breach action. The few federal cases that address CMIA claims, however, suggest that individual questions regarding whether a breach of confidentiality occurred and whether the health care provider’s negligence caused the breach can be numerous and varied. In In re Premera, for example, the defendant was a health care provider that maintained patients’ confidential information in a centralized database. (In re Premera Blue Cross Customer Data Security Breach Litigation (D.Or. 2016) 198 F.Supp.3d 1183, 1188.) In January 2015, it discovered that hackers had breached its computer network beginning in May 2014. (Id. at pp. 1189– 1190.) The plaintiff subsequently filed a complaint for violation of the CMIA, which the defendant moved to dismiss. (Premera, at pp. 1190–1191.) The court concluded the plaintiff had adequately alleged a CMIA claim because in May 2015, she discovered on her credit report an inquiry for a car loan that she did not recognize, and her checking account had been fraudulently accessed “around the same time period.” (Premera, at p. 1202.)
Similarly, in Falkenberg, the court determined on a motion to dismiss that plaintiffs had adequately alleged a claim for violation of the CMIA after a thief stole a password-protected laptop containing plaintiffs’ and other
26 patients’ confidential information. (Falkenberg v. Alere Home Monitoring, Inc. (N.D.Cal., Feb. 23, 2015, No. 13-cv-00341-JST) 2015 WL 800378, at pp. *1, *3.) The court found that the plaintiffs’ CMIA claim was supported by allegations that their confidential medical information was viewed by an unauthorized party because they alleged that they gave the defendant that information, that they suffered identity theft sometime from three weeks to “weeks-and-months” from when the defendant’s laptop containing the plaintiffs’ information was stolen, that they had never suffered identity theft previously, that they took extra precautions to ensure their information was not disclosed to unknown third parties, and that the thieves opened fraudulent accounts using the plaintiffs’ social security numbers, information that the defendant had and which was “not generally as available as date of birth, full name, and address.” (Falkenberg, at p. *3.) The court noted that where a plaintiff claims a data breach caused them to be the victim of identity theft, there must be a “ ‘nexus’ ” between the alleged identity theft and the data breach “ ‘beyond allegations of time and sequence,’ ” and that there was such a nexus in that case. (Id. at p. *4.)
Applying the principles of those cases, the case here would require an assessment of each putative class member’s circumstances to determine whether his or her information was viewed by an unauthorized party and whether the data breach caused this breach of confidentiality. This assessment includes questions regarding whether third parties used plaintiffs’ information, whether this use was without authorization, the timing of this misuse, whether plaintiffs took measures to protect against the misuse of their information, whether the information used was involved in the data breach, and whether third parties could have obtained this information through other means.
27 Federal courts have denied class certification in data breach cases based on similar inquiries. (See Gardner v. Health Net, Inc. (N.D.Cal., Sept. 13, 2010, No. cv-10-2140) 2010 WL 11579028, at pp. *4–*5 [class treatment not warranted in data breach case where individualized inquiries would be required to prove the defendant’s liability for negligence and other claims based on the injury and causation elements: “the theft of a potential class member’s identity could be the result of any number of causes”]; McGlenn v. Driveline Retail Merchandising, Inc. (C.D.Ill., Jan. 19, 2021, No. 18-cv-2097) 2021 WL 165121, at pp. *8–*9 [the plaintiff failed to establish a predominance of common questions in data breach case involving almost 16,000 potential class members where the evidence showed that some putative class members may have suffered identity theft while others did not, and there were individualized issues on causation, given that some members were involved in other data breaches].)
We conclude substantial evidence supports the trial court’s determination. On the record before us, each class member’s “right to recover depends on facts peculiar to his case.” (City of San Jose v. Superior Court, supra, 12 Cal.3d at p. 459; Duran v. U.S. Bank National Assn., supra, 59 Cal.4th at p. 30.) Although it is only a general rule that a class cannot be maintained where liability turns on the facts of individual cases, the problems of proof here appear sufficiently pervasive and substantial as to support the trial court’s denial of class certification based on the predominance of those questions.
DISPOSITION The order is affirmed. Muir shall recover its costs on appeal.
28 STEWART, J.
We concur.
RICHMAN, Acting P.J.
MILLER, J.
Vigil v. Muir Medical Group (A160897)